Re: How to group by a field and display multiple f...

andytangjpmc · ‎09-24-2019

I have trace, level, and message fields in my events. I want to group by trace, and I also want to display all other fields. I'm having issues with multiple fields lining up when they have different amount of lines.

Here's what I want:

+--------+-------+----------+
| trace1 | INFO  | Message1 |
|        |       | Line2    |
|        +-------+----------+
|        | DEBUG | Message2 |
|        +-------+----------+
|        | DEBUG | Message3 |
+--------+-------+----------+

But I end up with results like this:

+--------+-------+----------+
| trace1 | INFO  | Message1 |
|        +-------+ Line2    |
|        | DEBUG |          |
|        +-------+----------+
|        | DEBUG | Message2 |
|        +-------+----------+
|        |       | Message3 |
+--------+-------+----------+

Here's my search query:

| stats list(level), list(message) by trace

somesoni2 · ‎09-24-2019

Multiple level grouping (similar to merging columns in Excel) is not supported natively. For your requirement, try something like this:

..| stats list(message) by trace level

OR

...| eval Level_message=level."  ##  ".message | stats list(Level_message) by trace

How to group by a field and display multiple fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation